Cookie Policy

Cookie Policy

The rapid development of the digital ecosystem has made transparency in the collection and processing of user data a legal necessity. Institutions operating corporate-level web platforms are obliged to protect the privacy of personal data while optimizing the visitor experience.

As ZyrexUI Web & Graphic Design Agency, founded in 2020 with roots based on over 15 years of industry experience and operating in Istanbul, Recife, and Rio de Janeiro, we accept legal compliance as a fundamental principle in building innovative and secure infrastructures. Data security, an inseparable part of our corporate and modern design approach, is a critical parameter for the reputation management of businesses. Cookie applications on websites are bound by strict rules within the framework of both local legislation and international standards.

Legislative Basis and Legal Framework

All digital platforms operating within or providing services to users in the target jurisdiction are subject to data protection laws (such as GDPR). In light of the guidelines published by data protection authorities, any log record, IP address, and browser information obtained through cookies that makes an individual directly or indirectly identifiable is considered "personal data."

The European Union General Data Protection Regulation (GDPR) and the e-Privacy Directive impose additional obligations on platforms serving globally. In multinational structures, cross-border data transfers must be based on specific data protection agreements.

Businesses acting as Data Controllers are obliged to fulfill the disclosure obligation. At the moment users first enter the platform, they must be informed transparently, clearly, and accessibly about which data will be shared, for what purposes, for how long, and with whom.

💡 Tip: Layered Disclosure Strategy

In accordance with authority decisions, cookie disclosures should be presented in a "layered" structure. The first layer (banner/pop-up) should include basic information and preference buttons, while the second layer (detailed disclosure text page) should include technical details, cookie names, and retention periods.

Classification of Cookies and Technical Analysis

Tracking and optimization tools used in the architecture of platforms are divided into different categories according to their functions and retention periods. The scope of legal obligations varies directly according to the type of cookie used.

Cookie Category Purpose of Use Legal Basis (Consent Status) Example Use Case
Mandatory (Strictly Necessary) Cookies Enabling the basic functions of the platform, preventing security vulnerabilities, and providing session management. No Explicit Consent Required (Legitimate Interest / Performance of Contract) Keeping the products added to the cart in memory during page transitions.
Performance and Analytical Cookies Measuring visitor traffic, detecting error rates, and optimizing page load times. Explicit Consent Required Collecting page view statistics anonymously via Google Analytics or similar tools.
Functional Cookies Providing a personalized experience by remembering user preferences (language, region, theme). Explicit Consent Required Automatic application of the selected language preference in subsequent visits to an international platform.
Targeting and Advertising Cookies Profiling user behavior, displaying advertisements suitable for interests, and remarketing activities. Explicit Consent Required Showing relevant banner advertisements on different websites based on the visited product category.

Digital Obligations of Businesses

In line with the basic principles to be followed in personal data processing, the technical and administrative measures to be implemented by platform owners are as follows:

  • Establishing an Explicit Consent Mechanism: Active, free-willed, and informed consent must be obtained for all tools other than mandatory cookies. Advertising or analytical cookies should not be placed in the browser before consent is obtained (Opt-in principle).
  • Revocability of Consent: Users must be provided with an interface (Cookie Management Panel) where they can change or cancel their cookie preferences at any time, as easily as they gave consent.
  • Prevention of Implied Consent Violation: The visitor continuing to browse the page (scroll down) is not legally accepted as "explicit consent." Presenting checkboxes as pre-ticked is contrary to regulations.
  • Accessibility of the Disclosure Text: The relevant text should always be accessible from the bottom of the home page (footer) and should be written in clear language, free from legal jargon.
⚠️ Risks and Penal Sanctions

Under data protection laws, serious administrative fines are foreseen in case the disclosure obligation is not properly fulfilled or data is processed unlawfully without complying with explicit consent conditions.

As a result of audits or user complaints, administrative fines reaching millions of dollars can be applied depending on the scale of the violation and the economic size of the business. Additionally, if unlawful data processing activity is detected, a decision may be made to stop data processing activities on the institution's digital platforms, leading to irreparable reputation loss.

User Rights and Data Security Standards

Data subjects have the right to learn whether personal data concerning them is processed, to request information if it has been processed, and to learn the purpose of processing. The right to request the correction of missing or incorrectly processed data and to request the deletion or destruction of data (Right to be Forgotten) when legal conditions are met is a legal guarantee.

In systems designed with ZyrexUI architecture, security layers are equipped with infrastructures that allow these rights to be exercised quickly and completely. In addition to browser-based blocking methods, server-side consent log mechanisms are established to ensure the legal burden of proof.

Legal Disclaimer (Informational Purposes Only)

This document has been prepared for informational purposes in light of sectoral experiences to create awareness about cookie applications and general legal obligations on web platforms. The matters contained in the content do not constitute an official legal opinion or binding legal advice. Due to the dynamic nature of legislation and the specific operations of each business, it is recommended to obtain professional support from expert lawyers and registered data protection consultants for the preparation of your official disclosure texts and the management of your compliance processes.

Frequently Asked Questions

Cookies are small text files, usually consisting of letters and numbers, that are stored on your computer or mobile device through your browser when you visit a website. They ensure the efficient operation of the platform, remember user preferences, and facilitate analytical processes.

Yes, it is absolutely mandatory. Google Analytics uses performance and analytical cookies. Since these cookies process visitors' IP addresses and behavioral data, they are considered personal data under data protection laws (such as GDPR/KVKK). Therefore, both a disclosure and the visitor's explicit consent are required.

No. Cookies that are strictly necessary to provide an information society service requested by the user (e.g., cart management, session security) are not subject to explicit consent as they are based on 'performance of a contract' or 'legitimate interest' exceptions. However, providing information about these cookies in the disclosure text is a legal obligation.

No, this is contrary to regulations. According to data protection authority decisions, explicit consent requires an active action. Options the user will consent to (e.g., marketing cookies) must be off (unchecked) by default, and the visitor must provide consent by checking them of their own volition.

As long as the user does not provide consent or continue browsing without specifying preferences, no cookies other than mandatory ones (analytical, advertising, etc.) should be placed on their device. Silence or scrolling down the page cannot be accepted as consent.

While penalties vary depending on the nature of the violation, administrative fines ranging from hundreds of thousands to millions can be applied within the framework of the limits determined by the Authority for failure to fulfill the disclosure obligation or unlawful processing of personal data.

The text must be easily accessible from every page of the platform. The generally accepted practice is to add a clear, readable link named 'Cookie Disclosure Text' or 'Cookie Policy' to the 'Footer' section at the bottom of the site.

These are cookies created and managed by a domain other than the one you are visiting (e.g., advertising networks, social media plugins, analytics providers). They are generally used to track and profile users across different websites.

Yes. By law, withdrawing consent must be as easy as giving it. Your site should have a persistent panel where users can click and change their preferences at any time (e.g., a 'Manage Cookie Preferences' button).

E-commerce sites contain many targeting and remarketing cookies by nature. While cart operations are considered mandatory, tracking mechanisms such as 'Those who bought this also bought that' or cookies set up to send emails for abandoned carts must strictly be tied to an explicit consent protocol.

It is not contrary, but it brings extra obligations. If the cookie infrastructure transfers data to servers abroad, data transfer rules come into play. This must be clearly stated in the disclosure text and, if necessary, carried out with explicit consent or approved undertakings.

ZyrexUI combines aesthetics and performance with legal compliance in corporate architecture design processes. We install advanced cookie management integrations on the platforms we develop that meet GDPR requirements, keep logs securely, and run opt-in/opt-out functions flawlessly.